9/11 Remembered: What We've LearnedLeaders Reflect on How Attacks Changed Security Profession
Sunday, Sept. 11 marks the 10th anniversary of the terrorist attacks on New York and Washington, D.C. These devastating events forever changed our approach to security - particularly risk management, as well as business continuity and disaster recovery.
On the eve of the 10th anniversary, with U.S. government leaders warning of new potential terrorist threats to mark the occasion, we caught up with thought-leaders across various industries to discuss the lessons learned from Sept. 11, as well as the changes we still must undergo to ensure even greater security.
'People Come First'Ken Newman, information security and risk officer at Central Pacific Bank in Hawaii, has a unique perspective on Sept. 11. "My office was on the 8th floor of 4 World Trade Center," he says. "I was there that day."
What most people remember as a horrific event seen from a distance, Newman recalls as a series of moments: recognition, evacuation, evaluation, relocation, recovery.
"For me, one of the greatest lessons learned is that people always come first," Newman says. "Security may generally focus on protecting assets and resources, but, when there's a catastrophic event, employees are the top priority during and after."
Post-9/11, most of Newman's time was focused on disaster recovery, as his institution lost facilities, and staff had to re-deployed. "There were cases where security controls had to take a back seat, in a controlled and measured fashion, to ensure people's needs could be met," he says.
In the decade since, Newman has watched the technology of security become more accessible. "Organizations of all sizes can take advantage of control technologies that were only available to the largest companies 10 years ago," he says.
But now it's time to take these tools to a new level. "Security practitioners are starting to reach the point where they can rely on IT to run even more controls," Newman says. "Now, they need to learn how to give up the reins and focus their attention on policy, process and methodology and become influencers rather than doers."
'We Will be Caught Off-Guard'Like Newman, Fred Becker, president of the National Association of Federal Credit Unions, was physically close to the 9/11 attacks.
"We're very close to the Pentagon, so when the Pentagon got hit, the NAFCU building felt the shake," Becker says. "It was similar to the shake we felt when the [recent] earthquake hit. In fact, when we felt the earthquake, our immediate thought was that there had been another attack."
For Becker, the events of Sept. 11 hammer home the key messages of business continuity planning. "We were caught off-guard, and we will be caught off-guard again," he says. "The liberties in this country that we love are always going to put us in danger; but I think the way you have to approach it is: You have to think about safety and how to react."
Over the past decade, the NAFCU has made preparation a key component of its conferences, discussing topics such as lessons learned in the wake of Hurricane Katrina. The group also has hammered home the need not just for a business continuity plan, but to test those plans via drills.
"Drills are important, because when disaster does strike, you automatically do something without even thinking," Becker says. "Once you get the emotions out, you get people to focus on protecting themselves."
'Things Might Have Turned Out Differently'For Tom Wills, managing director of Secure Strategies Pte. Ltd. and a lead financial fraud analyst for Javelin Strategy & Research, the key lesson from 9/11 is about the need to "sell" security.
"As a profession, we need to develop more effective skills in selling security - that is, selling our programs to those who have to foot the bill for them," Wills says. "The 9/11 attacks could totally have been prevented had intelligence about the threat, which emerged seven to eight years prior, been acted upon in a timely fashion by the powers that be. The security people knew what needed to be done, but for whatever reasons, the countermeasures weren't implemented - well, not until after the fact."
To improve these skills is a tough challenge, he adds, "But it's definitely possible for us to learn to articulate security risks in layman's terms, instead of the techno-speak with which we're more comfortable."
To prevent future incidents, the private and public sectors need to improve their collaboration, Wills says. "Business and government need to cooperate more effectively to safeguard critical infrastructure from both cyber and physical attacks, launched by both criminals and nation states," he says. "Programs like INFRAGARD are a step in the right direction, but much more material cooperation is needed."
'Think Again'For Chuck Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., the greatest lesson of Sept. 11 is to avoid complacency.
"When you think you've covered all the bases, think again," Christian says. "As healthcare becomes more complex and we have the need to share data with a wider community of providers, it's very important to keep up with the current best practices and look for expertise outside the four walls of your own organization."
Christian agrees that the information security profession has come far over the past decade. But there still are limitations and risks - particularly if organizations grow too comfortable with their security posture.
"Unfortunately, we don't know what we don't know (at least that is accurate for me)," he says. "Comprehensive security programs cost money and have to be prioritized accordingly. If you have a good program, the results should be 'no events.' In that case, it may be difficult to justify the expense for something where nothing happens."
Think the Unthinkable
Patrick Howard, chief information security officer at the Nuclear Regulatory Agency, says the main takeaway from the 9/11 attacks is think the unthinkable. "When we consider the threat, concentration on the worst-case scenarios is not only viable, but essential."
Howard says a decade later, organizations must continually fine-tune emergency response planning and practices, especially lines of coordination and communications links.
"There is a need for improving the linkage and interoperability between the various organizational security entities - counterintelligence, physical security, personal security, cybersecurity, etc. - with respect to emergency response and threat analysis."
Karen Evans, the federal CIO during the second half of the Bush administration, agrees that the ability to communicate remains a top challenge for many organizations. "With the recent earthquake in D.C., it is still obvious our telecommunications capability is most important and needs to be able to handle the load in an emergency."
Evans, now national director of the U.S. Cyber Challenge, says being ever vigilant is the main lessons of 9/11. "Have your plans always up to date and ready to execute at a moment's notice," she says.
Security at the CoreTo Scott M. Angelo, vice president and chief information officer for Diebold, the security services company, the legacy of 9/11 is that security is now a primary - not secondary - consideration.
"We're seeing security positioned at the very core of culture," he says. "Business continuity is in the spotlight and, as a result, security, awareness and preparedness are at the top of the priority list across the enterprise."
This new perspective is evident in physical plans when facilities are built or redesigned. "We're seeing more detailed programs for reviewing drawings and plans to ensure that even the construction processes are secure," Angelo says.
But security is also becoming more evident in more intangible ways - with plenty of room for improvement. "While we're seeing security becoming more engrained in corporate culture," he says, "opportunities still exist to minimize security silos and foster more effective collaboration."
Other VoicesFor more insights on the lessons learned from Sept. 11, please see:
- Lessons of Sept. 11 - Kevin Sullivan, a former investigator with the New York State Police, reflects on lessons learned and steps industries still need to take to ensure a tragedy like 9/11 is never repeated.
- Shifting Course on Infosec Post-9/11 - Former federal CIO Mark Forman on how the attacks influenced the way the federal government approaches cybersecurity.
- Security in a Post 9/11 World - Mac McMillan, a former Department of Defense security specialist who's now a consultant, says there's still plenty of work to do on disaster recovery and business continuity planning.
- 9/11: The Global Perspective - Rolf von Roessing, past international vice president of ISACA, on how the terrorist attacks impacted not just the U.S., but the world and how we all now view security and risk management.
Editors Howard Anderson, Eric Chabrow, Upasana Gupta and Tracy Kitten contributed to this report.